A popular license management token opens a hidden remote access channel for an attacker
Kaspersky Lab ICS CERT researchers have found a variety of serious vulnerabilities in the Hardware Against Software Piracy (HASP) license management system, widely used in corporate and ICS environments to activate licensed software. A number of systems affected by the vulnerable technology may amount to hundreds of thousands and even more worldwide.
The USB-tokens in question are being widely used in different organizations to serve the purpose of convenient software license activation. In normal use case scenarios, a company’s system administrator would need to approach the computer with the software that needs to be activated and insert the token. It will then confirm that the software of interest is indeed legitimate (not pirated) and would activate it, so the user of the PC or server would then be able to use this software.
Once the token is attached to a PC or a server for the first time, the Windows OS downloads the software driver from the vendor’s servers in order to make the token hardware work properly with the computer hardware. In other cases, the driver comes installed with third party software which uses the aforementioned system for license protection. Our experts have found that, upon installation, this software adds port 1947 of the computer to the list of exclusions of the Windows Firewall with no proper user notification, making it available for a remote attack.
An attacker would only need to scan the targeted network for open port 1947 in order to identify any remotely available computers.
More importantly, the port remains open after the token has been de-attached, which is why even in a patched and protected corporate environment an attacker would only need to install a software using the HASP solution, or attach the token to a PC once (even a locked one) in order to make it available for remote attacks.
Overall, researchers have identified 14 vulnerabilities in a component of the software solution, including multiple DoS vulnerabilities and several RCEs (remote execution of arbitrary code) which, for instance, are automatically exploited not with user rights, but with the most privileged system rights. This provides attackers with an opportunity to execute any arbitrary codes. All identified vulnerabilities can be potentially very dangerous and result in big losses for businesses.
All the information has been reported to the vendor. All discovered vulnerabilities received the following CVE numbers:
- CVE-2017-11496 – Remote Code Execution
- CVE-2017-11497 – Remote Code Execution
- CVE-2017-11498 – Denial of Service
- CVE-2017-12818 – Denial of Service
- CVE-2017-12819 – NTLM hash capturing
- CVE-2017-12820 – Denial of Service
- CVE-2017-12821 – Remote Code Execution
- CVE-2017- 12822 – Remote manipulations with configuration files
“Given how wide spread this license management system is, the possible scale of consequences is very large, because these tokens are used not only in regular corporate environments, but also in critical facilities with strict remote access rules. The latter could easily be broken with the help of the issue which we discovered to be putting critical networks in danger”, says Vladimir Dashchenko, Head of vulnerability research group, Kaspersky Lab ICS CERT.
Upon discovery, Kaspersky Lab reported these vulnerabilities to the affected software vendors and the companies subsequently released security patches.
Kaspersky Lab ICS CERT strongly recommends that users of the affected products do the following:
- Install the latest (secure) version of the driver as soon as possible, or contact the vendor for instructions on updating the driver.
- Close port 1947, at least on the external firewall (on the network perimeter) – but only as long as this does not interfere with business processes.
You can read more about these vulnerabilities in the blog post on the Kaspersky Lab ICS CERT website.
About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company celebrating its 20 year anniversary in 2017. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more atwww.kaspersky.com
About Kaspersky Lab ICS CERT
Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) is a global project launched by Kaspersky Lab in 2016 to coordinate the efforts of automation system vendors, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyberattacks. Kaspersky Lab ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the Industrial Internet of Things. During its first year of operation, the team identified over 110 critical vulnerabilities in products by major global ICS vendors. Kaspersky Lab ICS CERT is an active member and partner of leading international organizations that develop recommendations on protecting industrial enterprises from cyberthreats.
